Using Recorded Future to Update Quantitative Risk Scores

By Levi Gundert on May 2, 2017

In a new white paper, Recorded Future uses the methods and formulae provided in How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen,1 to calculate the impact of various cyber threats to a company (using Recorded Future as the example). The paper even goes to the level of specific dollar loss amounts and whether a threat has any future probability of impacting information availability, integrity, or both.

The white paper details the process for quantitative risk analysis of cyber threats, using Recorded Future’s software-as-a-service — specifically dashboards, alerts, and API.

Let’s look at one example in this blog post: Android malware can pose significant risk to an organization. We’ll detail the threat intelligence value in calculating and updating risk probabilities for senior decision makers — one of threat intelligence’s most valuable use cases.

Information Threat Category: Android Malware

The Android operating system dominates 88 percent of smartphone market share, “with over 328 million Android devices shipped worldwide” (Q3, 2016). That’s a lot of Android devices storing personally identifiable information and acting as a primary device for two-factor authentication. Corporate BYOD programs have accelerated multi-purpose (personal and professional) Android device use. Financial service companies are rightfully concerned with Android threats to mobile banking customers, but all industry verticals should be concerned with the threat of Android malware to employees.

When information security professionals estimate the risk of Android malware causing future loss, a broad analysis of the threat and current security controls informs a higher quality estimate. A four-year Recorded Future search for Android malware references specifically in closed underground criminal forums reveals a macro trend of accelerating interest in the Android platform. It also reveals specific Android malware families that require additional analysis to understand capabilities and adversary intent.

Saving the above Recorded Future search, and creating an alert for future new Android malware references, enables Recorded Future’s natural language processing technology to automate some of the analysis process, saving analyst resources, and ensuring peace of mind that new Android malware will be surfaced in near real time. Especially in foreign languages. Recorded Future’s proprietary NLP technology identifies new threats in numerous foreign languages, some of the most important include Chinese, Russian, Arabic, Farsi, and German.

Additionally, any Recorded Future search is exportable to a JSON format for inclusion in a Recorded Future RESTful API query. This API flexibility enables strategic threat visibility for diverse analyst workflows that use third-party integration, orchestration, and ticketing tools.

Recorded Future also provides insight from open, closed, and technical sources, which, in the case of Android malware, is highlighted in social media, paste sites, code repositories, blogs, news, and partner Intel Card extensions. Recorded Future’s speed of source aggregation and analysis options is unparalleled. Since malicious Android files are typically packaged as APK files, a search for APK backdoor files and frameworks across Recorded Future’s broad sources will also contribute to an ongoing threat assessment.

Timeline of “APK backdoor” references.

Finally, Recorded Future Intel Cards provide an immediate analysis snapshot on specific malware families, in this case Android malware such as Mazaar and Exobot, to understand respective capabilities and impact on current security controls.

Using Recorded Future’s search and alert functions for Android malware dramatically improves an analyst’s ability to deliver a 90 percent confidence range of organizational impact as a calibrated estimator, the process of which is detailed in the white paper. A low- and high-value risk probability estimate will change during the course of a year as Recorded Future delivers future alerts and the quantitative risk model is updated with new values.

Ongoing strategic threat intelligence is the best option for risk analysis and ultimately risk management for chief information security officers (CISOs), senior executives, and the board, tasked with deciding current and future information security control spending and prioritization.